Chat now with support
Chat with Support

On Demand Migration Current - Active Directory Intune, Autopilot and BitLocker Quick Start Guide

Introduction

On Demand Migration for Active Directory (ODMAD) supports Microsoft Entra ID Join device migration for devices running Windows 10 or Windows 11 while preserving the User Profiles and File/Folder Security Permissions. 

ODMAD successfully migrates these devices to the target Microsoft Entra ID using the default ODMAD settings, including migrating devices that are already Intune-enrolled and devices that were originally provisioned using Autopilot. In addition to migrating the devices to Microsoft Entra ID, a best practice is to also clear previous Autopilot and Intune settings to allow successful Intune enrollment and management in the target.

​This step-by-step guide walks through how to perform Intune managed device migration between two Microsoft Entra ID (Cloud Only) tenants.

This guide is a supplementary document to the Active Directory Entra-Join Quick Start Guide.

Topics

This guide covers the following topics:

  • Requirements

  • Intune/Autopilot Workstation Cutover High-Level Process

  • High level Custom Task Explanation

  • Implementation Process

  • Intune Cutover Run Book

 

Requirements

General

  • Client is licensed for On Demand Migration Active Directory and Directory Sync

  • One Global Administrator Account for each Microsoft 365 tenant

    Accounts  

    Microsoft Entra ID Application Account

  • An account with Global Administrator Role is required to grant permissions and establish connection when adding a Cloud Environment.

    Microsoft Entra ID PowerShell Accounts

  • Three (3) PowerShell accounts are automatically created to read and update objects in the cloud.  To do this an OAuth token is used from the account used to add the Cloud Environment.

  • These PowerShell accounts do not require any Microsoft 365 licenses.

 

Intune/Autopilot Workstation Cutover High-Level Process

The high-level process no longer requires the modification of the Default Microsoft Entra ID Cutover action in ODMAD. However, if BitLockerBackup is required for the migration, there is an additional task that needs to be added which will be noted below:

  • AutoPilot Cleanup – Default Task, removes the Autopilot registry keys from the workstation. This should be done after the workstation has been removed from Enrolled Devices in the source tenant.

  • BT-DownloadReACLConfig – Default Task

  • BT-ReACLPrepareWin10Profiles – Default Task

  • BitlockerBackupToEntraID (Only required if source workstations are BitLocker Enabled) – If the workstation is BitLocker enabled in the source, the Recovery key is not automatically transferred to the target Microsoft Entra ID. This task creates a PowerShell script on the workstation and creates a Scheduled Task that will run the script after the user has logged on post migration. The script will escrow the existing recovery key from workstation and write it to the target Microsoft Entra ID account.

  • CleanupLocalAdministratorsGroup (Optional) – If the source user was an Administrator on the machine, the Re-ACL process will put the target user in the Administrators group. This task will remove users from the Local Administrator Group.

  • BT-EntraIDCutover – Default Task

Self Service Tools
Knowledge Base
Notifications & Alerts
Product Support
Software Downloads
Technical Documentation
User Forums
Video Tutorials
RSS Feed
Contact Us
Licensing Assistance
Technical Support
View All
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating